4

I have a question posted already for this issue in Windows systems, and thought that non-Windows systems should perhaps be covered separately.

In NIST SP 800-53 Rev. 3, IA-5 is the control addressing "Authenticator Management". The requirements in this control include such things as enforcement of password length, complexity, lifetime, history, and proper storage/transmission of passwords.

The first enhancement for this control, which is selected for all (Low/Moderate/High) systems includes this requirement:

The information system, for password-based authentication:

...

(b) Enforces at least a [Assignment: organization-defined number of changed characters] when new passwords are created;

In most systems, it's pretty easy to find and configure the rules that enforce long and complex passwords which are changed regularly and do not exactly match a certain number of old passwords. But, how do you implement a policy that requires a certain amount of characters to be changed with every new password?

Some systems I'm interested in (feel free to address others):

  • Mac OS X
  • Linux/Unix (Any/all flavors)
  • Cisco IOS
Community
  • 1
Iszi
  • 26,997
  • 18
  • 98
  • 163
  • For Cisco IOS, simply set [`char-changes 8`](https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-16-12/sec-usr-aaa-xe-16-12-book/sec-aaa-comm-criteria-pwd.html) (or whatever your value is) to implement this. – JamesTheAwesomeDude Jun 24 '22 at 20:50

2 Answers2

1

The approach I would recommend for enterprises would be to integrate these systems with your directory service, which for most will be Active Directory. This way your password policy is set in a single place and it bring other benefits in managing access control and roles in a single place. You can also then provide single sign-on and two factor authentication.

Guidance on doing this:

For Cisco IOS however TACACS+ or Radias servers are the best place to set policy centrally.

Rakkhi
  • 5,783
  • 1
  • 23
  • 47
1

It's pretty easy to do with PAM, so that covers Linux/Solaris/FreeBSD at least. Among other things the pam_cracklib module offers that functionality. Its default setting is actually to check for five character changed but can be configured by the difok option.

Bruno Rohée
  • 5,221
  • 28
  • 39